1. Field of the Invention
This invention relates generally to communication systems, and, more particularly, to wireless communication systems.
2. Description of the Related Art
The coverage area of a wireless communication system is typically divided into a number of geographic areas that are often referred to as cells. Mobile units located in each cell may access the wireless communications system by establishing a wireless communication link, often referred to as an air interface, with a base station associated with the cell. The mobile units may include devices such as mobile telephones, personal data assistants, smart phones, Global Positioning System devices, wireless network interface cards, desktop or laptop computers, and the like. Communication between the mobile unit and the base station may be authenticated and/or secured using one or more authentication protocols.
Mobile units having an established security association with a first base station may roam to another cell served by a second base station. The second base station and a roaming mobile unit may therefore mutually authenticate and/or validate each other to verify the legitimacy of the second base station and the mobile unit before beginning secure transmissions. For example, in a WiMAX wireless communication system such as defined by the IEEE 802.16e standards, the mobile unit may validate a message authentication code (e.g., a cipher-based message authentication code, CMAC, and/or a hashed message authentication code, HMAC) that is generated by the second base station and attached to a downlink message provided to the mobile unit. The base station also validates a message authentication code provided by the mobile unit in an uplink message. The message authentication codes are generated using secret keys derived from the secret key AK.
Authentication schemes that use message authentication codes to validate roaming mobile units to base stations may be vulnerable to replay (or repeat) attacks. In a replay attack, an illegitimate mobile unit or base station intercepts a valid message authentication code in an uplink or downlink message from a legitimate mobile unit or base station. The illegitimate mobile unit or base station then transmits a copy of the valid message authentication code to a base station or mobile unit, which may then initiate secure communication with the illegitimate mobile unit or base station based on the replayed copy of the valid message authentication code.
Replay attacks may be prevented by including a counter (or crypto-sync) in the computation of the message authentication code. For example, the IEEE 802.16e standards define two CMAC Packet Number Counters, which are four byte sequential counters that may be incremented in the context of an uplink message by the mobile unit and in the context of a downlink message by the base station. The downlink counter CMAC_PN_D is maintained by the base station and incremented for every downlink message transmitted to the mobile unit. The uplink counter CMAC_PN_U is maintained by the mobile unit and incremented for every uplink message transmitted to the base station. The receiving side may then verify that the value of the received counter has not been repeated. For example, the receiving side may insure that the received counter is larger than the previous value of the counter received from the transmitting side.
Conventional authentication schemes, such as the WiMAX wireless communication system defined by the IEEE 802.16e standards, associate the uplink and a downlink counters with the secret key AK. Since the secret key AK is unique to each security association between a base station and a mobile unit, the base stations and mobile units in the wireless communication system must maintain a record of the secret key, the current value of the uplink counter, the current value of the downlink counter, and other AK-related parameters. This combination is typically referred to as the AK context. To prevent replay attacks, each base station must maintain a record of the AK context for each mobile unit that ever had a security association with this base station and each mobile unit must maintain a record of the AK context for every base station that it ever had a security association with.
Caching of the AK context at every mobile unit and base station is inefficient and consumes a large amount of storage. Caching of the AK context at every mobile unit and base station may also create a security vulnerability. For example, if the size of the caching storage element is exceeded, the oldest AK context may be purged to allow room for a new AK context. Once the old AK context is lost, the receiving site cannot validate the freshness of the received counters and repeat or replay attacks may become possible.